c5b64b14c81c8a01e31f1df394679f6b0e90cf9e19aa043eacdf8f62999a1143

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Size

64KB
MD5

78b946447ff56636422972b7c642b240
SHA1

8b8076671b5456b08a34a0dde9e8039685cf7929
SHA256

c5b64b14c81c8a01e31f1df394679f6b0e90cf9e19aa043eacdf8f62999a1143
SHA512

fb2170bf427aa96b36ba02a20f15f91810f2b09dde3f5f1d18245f22f049f370a12aee99654e5f839b046b1d283fb1224d2ad5b6b5e8dd46f9b06ea727380d63
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLroTr4/CFsrdHWMZw:Ovw981xvhKQLroTr4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D648EC8C-7BB9-485b-A315-CBD83735F54A}	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B526F768-10D8-4c6c-938E-8671A0313470}	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B526F768-10D8-4c6c-938E-8671A0313470}\stubpath = "C:\\Windows\\{B526F768-10D8-4c6c-938E-8671A0313470}.exe"	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4201F84D-905A-4557-802A-56BE0F9CF299}	{B526F768-10D8-4c6c-938E-8671A0313470}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4201F84D-905A-4557-802A-56BE0F9CF299}\stubpath = "C:\\Windows\\{4201F84D-905A-4557-802A-56BE0F9CF299}.exe"	{B526F768-10D8-4c6c-938E-8671A0313470}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFCC2721-34AE-4f35-A550-9013E4B74A1B}	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}	{AEC546CB-1A26-4653-8080-D981B8003709}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}	{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}\stubpath = "C:\\Windows\\{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe"	{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}\stubpath = "C:\\Windows\\{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}.exe"	{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}\stubpath = "C:\\Windows\\{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe"	{AEC546CB-1A26-4653-8080-D981B8003709}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}\stubpath = "C:\\Windows\\{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe"	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFCC2721-34AE-4f35-A550-9013E4B74A1B}\stubpath = "C:\\Windows\\{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe"	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}\stubpath = "C:\\Windows\\{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe"	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D648EC8C-7BB9-485b-A315-CBD83735F54A}\stubpath = "C:\\Windows\\{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe"	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}\stubpath = "C:\\Windows\\{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe"	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC546CB-1A26-4653-8080-D981B8003709}	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AEC546CB-1A26-4653-8080-D981B8003709}\stubpath = "C:\\Windows\\{AEC546CB-1A26-4653-8080-D981B8003709}.exe"	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}	{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe

Deletes itself 1 IoCs

pid	Process
2552	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe
2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe
2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe
2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe
1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe
1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe
2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe
2116	{AEC546CB-1A26-4653-8080-D981B8003709}.exe
2052	{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe
2804	{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe
2964	{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe
File created	C:\Windows\{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe
File created	C:\Windows\{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe	{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe
File created	C:\Windows\{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}.exe	{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe
File created	C:\Windows\{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe
File created	C:\Windows\{B526F768-10D8-4c6c-938E-8671A0313470}.exe	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe
File created	C:\Windows\{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	{B526F768-10D8-4c6c-938E-8671A0313470}.exe
File created	C:\Windows\{AEC546CB-1A26-4653-8080-D981B8003709}.exe	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe
File created	C:\Windows\{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe	{AEC546CB-1A26-4653-8080-D981B8003709}.exe
File created	C:\Windows\{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
File created	C:\Windows\{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe
Token: SeIncBasePriorityPrivilege	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe
Token: SeIncBasePriorityPrivilege	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe
Token: SeIncBasePriorityPrivilege	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe
Token: SeIncBasePriorityPrivilege	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe
Token: SeIncBasePriorityPrivilege	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe
Token: SeIncBasePriorityPrivilege	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe
Token: SeIncBasePriorityPrivilege	2116	{AEC546CB-1A26-4653-8080-D981B8003709}.exe
Token: SeIncBasePriorityPrivilege	2052	{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe
Token: SeIncBasePriorityPrivilege	2804	{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2192	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2192	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2192	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2192	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2552	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	29
PID 1664 wrote to memory of 2552	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	29
PID 1664 wrote to memory of 2552	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	29
PID 1664 wrote to memory of 2552	1664	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	29
PID 2192 wrote to memory of 2688	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	30
PID 2192 wrote to memory of 2688	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	30
PID 2192 wrote to memory of 2688	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	30
PID 2192 wrote to memory of 2688	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	30
PID 2192 wrote to memory of 2740	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	31
PID 2192 wrote to memory of 2740	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	31
PID 2192 wrote to memory of 2740	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	31
PID 2192 wrote to memory of 2740	2192	{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe	31
PID 2688 wrote to memory of 2416	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	32
PID 2688 wrote to memory of 2416	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	32
PID 2688 wrote to memory of 2416	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	32
PID 2688 wrote to memory of 2416	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	32
PID 2688 wrote to memory of 2468	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	33
PID 2688 wrote to memory of 2468	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	33
PID 2688 wrote to memory of 2468	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	33
PID 2688 wrote to memory of 2468	2688	{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe	33
PID 2416 wrote to memory of 2684	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	36
PID 2416 wrote to memory of 2684	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	36
PID 2416 wrote to memory of 2684	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	36
PID 2416 wrote to memory of 2684	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	36
PID 2416 wrote to memory of 2504	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	37
PID 2416 wrote to memory of 2504	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	37
PID 2416 wrote to memory of 2504	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	37
PID 2416 wrote to memory of 2504	2416	{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe	37
PID 2684 wrote to memory of 1744	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	38
PID 2684 wrote to memory of 1744	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	38
PID 2684 wrote to memory of 1744	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	38
PID 2684 wrote to memory of 1744	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	38
PID 2684 wrote to memory of 2304	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	39
PID 2684 wrote to memory of 2304	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	39
PID 2684 wrote to memory of 2304	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	39
PID 2684 wrote to memory of 2304	2684	{B526F768-10D8-4c6c-938E-8671A0313470}.exe	39
PID 1744 wrote to memory of 1696	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	40
PID 1744 wrote to memory of 1696	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	40
PID 1744 wrote to memory of 1696	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	40
PID 1744 wrote to memory of 1696	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	40
PID 1744 wrote to memory of 1564	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	41
PID 1744 wrote to memory of 1564	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	41
PID 1744 wrote to memory of 1564	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	41
PID 1744 wrote to memory of 1564	1744	{4201F84D-905A-4557-802A-56BE0F9CF299}.exe	41
PID 1696 wrote to memory of 2152	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	42
PID 1696 wrote to memory of 2152	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	42
PID 1696 wrote to memory of 2152	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	42
PID 1696 wrote to memory of 2152	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	42
PID 1696 wrote to memory of 2112	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	43
PID 1696 wrote to memory of 2112	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	43
PID 1696 wrote to memory of 2112	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	43
PID 1696 wrote to memory of 2112	1696	{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe	43
PID 2152 wrote to memory of 2116	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	44
PID 2152 wrote to memory of 2116	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	44
PID 2152 wrote to memory of 2116	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	44
PID 2152 wrote to memory of 2116	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	44
PID 2152 wrote to memory of 1900	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	45
PID 2152 wrote to memory of 1900	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	45
PID 2152 wrote to memory of 1900	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	45
PID 2152 wrote to memory of 1900	2152	{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe	45

C:\Users\Admin\AppData\Local\Temp\78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78b946447ff56636422972b7c642b240_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe
  C:\Windows\{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe
    C:\Windows\{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe
      C:\Windows\{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{B526F768-10D8-4c6c-938E-8671A0313470}.exe
        
        C:\Windows\{B526F768-10D8-4c6c-938E-8671A0313470}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\{4201F84D-905A-4557-802A-56BE0F9CF299}.exe
        
        C:\Windows\{4201F84D-905A-4557-802A-56BE0F9CF299}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe
        
        C:\Windows\{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe
        
        C:\Windows\{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{AEC546CB-1A26-4653-8080-D981B8003709}.exe
        
        C:\Windows\{AEC546CB-1A26-4653-8080-D981B8003709}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe
        
        C:\Windows\{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe
        
        C:\Windows\{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}.exe
        
        C:\Windows\{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}.exe
        12⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98FB0~1.EXE > nul
        12⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FF2C~1.EXE > nul
        11⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEC54~1.EXE > nul
        10⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFCC2~1.EXE > nul
        9⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4B8D~1.EXE > nul
        8⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4201F~1.EXE > nul
        7⤵
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B526F~1.EXE > nul
        6⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5A3C~1.EXE > nul
        5⤵
        
        PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D648E~1.EXE > nul
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3734B~1.EXE > nul
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\78B946~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2FF2CAF9-5253-4ac3-AFFE-3C0C4CB4536F}.exe

Filesize
64KB

MD5
d4fbc871a386bc8417b7890ef4930c96

SHA1
71b1d956a923341bc6ea440bb8b6ab34cb207b94

SHA256
2db89adde95f5dcd6327a0873c47bea4032001615cbccdbeff120fe5a7b5c7e1

SHA512
70409c538ecad336e12d83805970317114fe56767def070e27fe91d3449a1ff4494c894479d49033eef4393c048f98fcc73de28ef0c408b1b6121c1b75e4dd59

Download Submit
C:\Windows\{3734B2A4-F884-4de1-9EFF-059B3ECFF55D}.exe

Filesize
64KB

MD5
8b4bdbecd7a7b33984f9203c08533488

SHA1
c37d0bd15c249f2ee4b7440cb262b816c6cf7b30

SHA256
b333e77a2814d002ca5f5413d156dee91d4678d4a9d6356a43d77bba336a18da

SHA512
9171473051b071f1eedc3aa75d8f6c682baa1ae59ecd6cf70f601345ea4c975d7fe53e9eefe6afae7369f00d529680faf26467830ef84c74756f24a8a7081ce5

Download Submit
C:\Windows\{4201F84D-905A-4557-802A-56BE0F9CF299}.exe

Filesize
64KB

MD5
3e500ec3c16aa2dd580b26c6a47d9308

SHA1
da399bb50ff5da0d5b570ab340f66927a94323a8

SHA256
09978bf6133a02946363274f17538c359c3c7b7830be2f88b21d5f629d35c2b6

SHA512
20fe7ef3e12bc6d54dd77fd9ca3657fc8b3eb46596d149cd4201b3a78f7d01f8c8c89178275cf9b973a3d3fe3a86b5dd24791a6c6394d4c907e07cf313f1ed82

Download Submit
C:\Windows\{98FB02F3-3241-4d5b-8E7D-7ACC8225E53F}.exe

Filesize
64KB

MD5
db0800524bf7d589f39cf4fc2243a687

SHA1
7233403a9ce8a99038cd46c371e3c7c8cf7df466

SHA256
13616d559e435d92628a7f7a57a0ba5ae489339327458c5a4ee56aae6e953761

SHA512
22f1d685b2bf161ec96c33f502a8030ed10d034871dc6bfce7bbfaa68d4dd352339bfc4e19cd983e814b8a74cdb0bb82f2661342b354f3a36d635f4ffa1c6f8a

Download Submit
C:\Windows\{AEC546CB-1A26-4653-8080-D981B8003709}.exe

Filesize
64KB

MD5
763bf046dc59d04f5f706a5466872f31

SHA1
76ce42fbc35a3062b682bd579231b80f1d062d5a

SHA256
4cda1005a916c0a683795f677bf0898c3a74eb0663bc3575b332a2e2f413560f

SHA512
de8822900b59697f311a730edc83e8ccfe6ddf4ae321d1ab278b81a05d85e3a8bb491fb79ca7c81c3281719d4458cb347c8f4aceba5bddd648dddfee45021a7e

Download Submit
C:\Windows\{B526F768-10D8-4c6c-938E-8671A0313470}.exe

Filesize
64KB

MD5
1bee79ac677313f6b64a822ef598682f

SHA1
9fac411fb731481fbea0505581367d0cfdd9e9a3

SHA256
2832dd5433ca389fed2d815429e4f618b7f342655a5ab10ac60962852b9d4308

SHA512
8ac28afd566f74038ba92af8cd4639607237d4a5085e049b942105b63e3b1ed48b8081a30d9189b8ba91c37d98321c8b589d545c6cc31621daa65ec038229a7c

Download Submit
C:\Windows\{C4B8D4ED-5DC8-40c2-8A67-CBBD1B483C60}.exe

Filesize
64KB

MD5
d0bbc92c1e6c19644b7b9f5015c11b8f

SHA1
ddbe09580bee7375483685cd866c83745f2758a8

SHA256
bcbe8e3e4594e313328a8b28c9d96f72f38cdd425f06ddab1671832d6a1220b0

SHA512
350e66e5ca61cb35c711742ca7d24002e71c9b7f80cd6c0822a42c635da4be348dc5f321a40212b011f1dd5a9a9e3482889963b2f1e5a087e5575b2dae48b2ef

Download Submit
C:\Windows\{D648EC8C-7BB9-485b-A315-CBD83735F54A}.exe

Filesize
64KB

MD5
2dafe16361f49f61261236f9f5128f31

SHA1
f1b8217fc919db386b6bfad7d58c793499730472

SHA256
f78ca8756c9f1aac38cf74ee7d9c364ea9b99c08f3ec73532a1e2b5a252f2491

SHA512
5e05755f265d54c6d601fbc744da138c14382e50227a8e627f1f2aca259f5dad5e6b3ac13dfafe86d50dd31683e6a657835cfdd4b79f52cac9dd40dc13b0070d

Download Submit
C:\Windows\{DAB5635F-7673-4a36-AF9F-A0D58BBD7D0B}.exe

Filesize
64KB

MD5
108016b3faf0b6f7360d998a9b4e06f5

SHA1
7d915fe13ba56ebb864e3efb02e99678ba2c632d

SHA256
b5bd03798538a2a1cb494cb4e0bf52996a7712d05c26663bc0a7363add0156c6

SHA512
7095b9a50ad0e33ec292f78f56704fe45178584d18ad58cc2f1dd9cac8e00a31eba4871c4ae5f1625856f6265160a3b5b44365b9a935706c3cef83d770d9291f

Download Submit
C:\Windows\{F5A3C16F-B0FC-4de8-A1E2-E1E7090CF2E4}.exe

Filesize
64KB

MD5
d4ed1a9611e440d2a2eab3c2f1e6d8ac

SHA1
6816cf0e3d7c55a9597788a126f4ef6ddce778c7

SHA256
564533c497753a2c3e297c4f1c1c123c9b5314c9b77dba66405ab2ca4a4d91bb

SHA512
b250440a59c5e07638bf0f12239d13512fcf744e6d030b662462d31ec42d5d20ec9011ecf6b8a775a1d2218e2855f6d8fcdd548a66830acb5b5b24c5e8a48779

Download Submit
C:\Windows\{FFCC2721-34AE-4f35-A550-9013E4B74A1B}.exe

Filesize
64KB

MD5
3dc6acb808a1345491886924d22a1ec2

SHA1
b63b12407a188f048fa7c81605c7f3cb13884bec

SHA256
81414c945f343c445603659c28dd4359e01830bc499c188318da551679a7ce0e

SHA512
20c57735affe6773f8c4a6cb666acac177fab965f45162aef1afcb3e08ee3abbdf3e4780684ddf48350c2518dcac02c9b18c90d73fc2659f46421ba67f100374

Download Submit
memory/1664-7-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1664-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-8-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1696-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1696-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1744-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1744-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2116-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2152-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2192-17-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2192-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2192-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2416-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2684-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2684-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2688-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2688-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2804-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2964-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads